Data Privacy in the Financial Services Industry

1 Risk & Compliance the way we see it Data Privacy in the Financial Services Industry How high-profile data breaches have impacted the Privacy landscape Contents 1 Overview 3. 2 Data Privacy : An Industry Perspective 4. Data Privacy and its Importance in the Financial Services Industry 5. 3 Securing Data and Managing Breaches in the 6. Financial Services Industry A Look at High-Profile Data Breaches 6. A Brief Overview of Privacy Regulations across the Globe 7. Cost Implications of Data Breaches 8. Challenges to Data Breach Prevention in an Organizational Setup 10. 4 Emerging Global Data Privacy Trends 11. Data Breach Evolution 11. Regulatory Focus 12. Technological Evolution 13.

2 5 Data Privacy Recommendations and Solutions for 14. Financial Services Institutions 6 Conclusion 15. Appendix A: Managing Data Privacy in a Cloud Environment 16. Appendix B: Managing Data Privacy in an Offshore Environment 17. References 19. 2. the way we see it 1 Overview Divulging personally identifiable information during a business transaction has become a commonplace occurrence for most individuals. This activity can span from sharing of bank account numbers, loan account numbers, and credit/debit card numbers, to providing non- Financial personally identifiable information such as name, social security number, driver's license number, address, and e-mail address. In short, there is a deluge of personally identifiable information that banking, capital markets, and insurance industries deal with and possess as a part of their day to day business.

3 Due to the rising threat of data breaches, identity theft, and associated fraud across industries, companies are increasingly focusing on enhancing data Privacy programs. The problem of data breaches is a concern across all industries; however the Financial Services Industry is a primary target of fraudsters due to the inherent value of the underlying data. This paper discusses the importance of data Privacy from the perspective of the Financial Services Industry , with an emphasis on the challenges firms face in day- to-day business operations. It also analyzes the role that government organizations across the globe are playing in formulating Privacy laws and overseeing compliance.

4 Finally, we analyze the steps Financial Services firms need to take to better protect against data breach incidents through the design of proactive data Privacy programs. Data Privacy in the Financial Services Industry 3. 2 Data Privacy : An Industry Perspective Maintaining the Privacy of confidential customer information has become essential for any firm which collects or stores personally identifiable data. Such information may be general yet sensitive such as names, addresses, and social security numbers;. or it can be crucial and financially sensitive data such as credit card, debit card or bank account numbers. The Financial Services Industry operates and deals with a significant amount of confidential client and customer data for daily business transactions.

5 Due to the perceived value of this data, the Financial Services Industry is one of the primary As Financial Services targets for data breaches. institutions are the richest sources of personally Exhibit 1: Industry Groups Represented by Breach Events (%), 2010. identifiable information both general and Financial they are primary breach targets Media <1%. Healthcare 1% Transportation <1%. and need a comprehensive Business Services 1% Others 2%. Tech Services 2%. data Privacy strategy. Manufacturing 2%. Government 4%. Hospitality Financial 40%. Services 22%. Retail 25%. Source: Capgemini Analysis, 2011; 2011 Data Breach Investigations Report, Verizon Hospitality, retail, and Financial Services have been among the Industry verticals that were most affected by data breach events in 2010.

6 Collectively these three verticals accounted for around 87% of data breach events recorded, with Financial Services accounting for almost 22% of total breach cases reported across industries in 20101. On a positive note for the Financial Services Industry , this 22%. represents a drop from 33% in 2009. The 2010 drop is likely due to recent arrests and prosecutions following large scale intrusions in the Financial Services Industry , which is also leading to increased focus on less reactive targets such as the retail and hospitality industries. 1. 2011 Data Breach Investigations Report, Verizon 4. the way we see it Another way to measure breaches is the number of records that were compromised.

7 In 2010, approximately 35% of the total records compromised came from Financial Services . Even based on this measure, 2010 has been a relatively good year for the Financial Services Industry since traditional historical average has been 90% or more. This decrease reflects the lack of large-scale mega breaches in the Financial Services space in 2010. Data Privacy and its Importance in the Financial Services Industry The operational structure of Financial Services institutions requires them to have The Financial Services more stringent data security standards as compared to those operating in other industries. On a regular basis, Financial service firms deal with large amounts Industry is one of the primary of personal and confidential customer information including bank account data breach targets due to information, debit or credit card data and other business confidential customer data.

8 The perceived value of the Data Privacy regulations and the potential reputational risks associated with breach underlying data. events make having a strong data Privacy policy in place even more important. The success or failure of a Financial service firm can depend on how it balances the use of confidential customer information while maintaining Privacy . To capitalize on emerging growth opportunities, Financial firms need to be flexible in sharing confidential customer data whether across different departments, affiliated partners, or non-affiliated third parties such as technology or outsourcing firms . while complying with regulations and protecting the company's reputation.

9 The key lies in this delicate balance between data sharing flexibility and maintaining data Privacy . Data Privacy in the Financial Services Industry 5. 3 Securing Data and Managing Breaches in the Financial Services Industry A Look at High-Profile Data Breaches A quick glance through some of the most high profile data breaches affecting customers highlights that six of the top ten data breach events that have occurred since 2007 were at Financial service firms, though the number of breaches in the Financial Services firms has decreased in 2010 and 2011. Exhibit 2: Top Ten Data Breaches across Industries Affecting Consumers (2007-2011). Six of the top ten data breach events that have Date Breach event Industry Compromised Reported Records (millions).

10 Occurred since 2007 were at Financial service firms Jan 2009 Heartland Payment Systems Financial Services Jan 2007 TJ Stores (TJX)* Retail/Merchant Oct 2009 Military Veterans Government Aug 2008 Countrywide Financial Corp. Financial Services Mar 2008 Bank of New York Mellon Financial Services Apr 2011 Sony, PlayStation Network (PSN), Sony Retail/Merchant Online Entertainment (SOE). Jul 2007 Fidelity National Information Services / Financial Services Certegy Check Services Inc. Jan 2009 TD Ameritrade Holding Corp. Financial Services Sep 2011 Tricare Management Activity, SAIC Other Jan 2009 CheckFree Corp. Financial Services * Includes TJMaxx, Marshalls and Winners in , Puerto Rico, Canada, and Ireland Source: Capgemini Analysis, 2011; Chronology of Data Breaches, While 2010 was relatively mild in terms of records breached, 2011 has been notable for a few high profile data breaches, notably the Sony PlayStation network breach which affected over 100 million customers globally.